Brazil - New Banking Trojan Uses GMER Technique

In a blog post made on TrendMicro.com on October 20, 2009, Jessa De La Torre, Threat Response Engineer, wrote that Brazilian banks were again targeted by a banking Trojan with a new method. The new method is a famous anti-rootkit application - GMER.

Trend Micro detects this banking Trojan as TROJ_DLOAD.BB. After installation, this Trojan installs an authentic copy of GMER and a harmful rootkit component discovered as TROJ_DAMM.AB.

This Trojan can be installed from distant websites by other malicious applications. It could be left by other malware or a user could install it unknowingly by accessing harmful sites. Moreover, it leaves files and adds keys as part of its downloading practice.

The Trojan connects to a particular URLs to install a copy of authentic file GMER.EXE. It also drops a file found by Trend Micro as TROJ_DAMM.AB.

The Trojan also makes a batch file that ceases the processes associated with G-Buster Browser Defense. It is a security application used by many Brazilian banks to protect information from cyber criminals and to maintain security of customers' privacy during online transactions. Without this application, the details exchanged in these transactions may be disclosed to harmful users and can be used for deceitful activities later on.

As a new method is being exploited by hackers, an issue that comes in the minds of web users is that why Brazil is the world leader in generating these kinds of harmful programs.

One reason can be - Brazil is the biggest country in Latin America where almost one third of population is web users and their number is continuously increasing.

Another reason is that Brazil's highly stratified social structure usually means that those on a low income are drawn into unlawful activity, which includes writing harmful programs to steal data of banking customers.

Finally, Brazil does not have legislation which efficiently fights against cyber crime.

The trend of violating a legit security tool to perform a harmful action is not new. Actually, some precedents do exist and Trend gives reports of another application known as 'The Avenger' (fully-scriptable, kernel-level Windows driver) that is being misused in the same manner by miscreants.